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Abstract 



We propose and construct a quantum money scheme that allows verification through classical 
communication with a bank. This is the first demonstration that a secure quantum money 
scheme exists that does not require quantum communication for coin verification. 

Our scheme is secure against adaptive adversaries - this property is not directly related to the 
possibility of classical verification, nevertheless none of the earlier quantum money constructions 
is known to possess it. 

1 Introduction 

In 1983 Wiesner [Wie83j proposed a new quantum cryptographic scheme, that later became known 
as quantum money. Informally, a quantum coin is a unique object that can be created by a trusted 
bank, then circulated among untrusted ZioMersQ A holder of a coin should be able to verify it, and 
the verification must confirm that the coin is authentic if it has been circulated according to the 
prescribed rules. On the other hand, if a holder wants to counterfeit a coin, that is, to create several 
objects such that each of them would pass verification, he must fail in doing so with overwhelmingly 
high probability. 

Wiesner has demonstrated that quantum mechanics (as opposed to classical physics) allows 
money schemes, and the basic principle that made such constructions possible was that of quantum 
uncertainty. The principle states that there are properties of a quantum object that are known 
to its "manufacturer" but cannot be learnt by an observer who measures the object; nevertheless, 
those properties can be later "verified" by the manufacturer. Accordingly, a bank can prepare 
objects with this kind of "secret properties" and let the holders use them as quantum coins - not 
knowing the secrets, untrusted holders would not be able to forge counterfeits. 

1.1 Prior work 

In Wiesner's original construction [Wie83j [BBBW83] a coin had to be sent back to the bank in 
order to get verified. This could be viewed as a possible drawback: a coin might get "stolen", or 
intentionally "ruined" by an adversary who had access to the communication channel between a 
coin holder and the bank. 

This problem has been addressed in a number of works. The approach taken by Aaron- 
son [Aar09| . Lutomirski et al. [LAF + 10] . Farhi et al. |FGH + 10| and in the upcoming Aaronson 
and Christiano [ACT 2] was to allow the holders to verify quantum coins locally, not having to 



The notation is still unset in this relatively new area of research. In particular, each coin in our construction will 
have its own identification number, and some authors would call such items quantum banknotes, to emphasize the 
uniqueness. Also, what we call a bank is sometimes addressed as a mint. 



contact the bank. Clearly, in this situation an adversary can, given unlimited computational re- 
sources, produce as many counterfeit coins as he wishes (being able to locally verify implies having 
a complete description of all objects that would pass the verification, so coin forgery becomes an 
achievable, albeit possibly computationally-expensive task). What is worse, the present state of 
mathematical development only allows to conjecture that certain tasks are hard for a reasonably 
powerful model of computation, and a major breakthrough would be required to argue that a 
scheme of this type is secure, say, against an adversary who can use a Turing machine. 

In a different line of research, Tokunaga, Okamoto and Imoto [TOI03] and Mosca and Ste- 
bila [MSlOj considered the problem of creating quantum money that can be used anonymously^ 
In [TQI03] a coin holder introduces some local randomness into the state of a coin to obtain 
anonymity. In [MSlOj the construction allows multiple identical (but still resistant to counterfeit- 
ing) instances of quantum coins. In both of these works quantum communication with a bank is 
required in order to use the scheme ( [MSlOj discusses the hypothetical possibility of using compu- 
tational hardness assumptions to allow local verification). 

Relatively recently another limitation of all previously known quantum money schemes has been 
noticed by Aaronson |Aar09| and by Lutomirski |LutlO| : An adversary can gain even more power 
from interacting adaptively with the bank. No quantum money scheme was know to be resistant to 
this type of attacks; in fact, [LutlO| has shown a very efficient adaptive attack against one version 
of Wiesner's scheme (which was unconditionally secure against non-adaptive adversaries). 



1.2 Our results 

In this work we propose to use classical communication with a bank in order to verify a quantum 
coin. We construct such a scheme. This is the first demonstration that a secure quantum money 
scheme exists that does not require quantum communication for coin verification. 
Some advantages of our construction over the previously known ones are: 

• Unlike the original scheme of Wiesner and the constructions of Mosca and Stebila, our con- 
struction does not require quantum communication with a bank in order to verify a coin. 

• We prove that our scheme is (unconditionally) secure; security arguments for schemes with 
local verification require either unproved hardness assumptions or a major mathematical 
breakthrough (complexity lower bounds). Moreover, to the best of our knowledge, no such 
scheme has been shown to be secure under so-called "widely believed" unproved assumptions!! 

• Unlike the schemes with local verification, our construction remains secure against computa- 
tionally unlimited adversary who obeys the laws of quantum mechanics. 

Besides offering possible practical advantages, the concept of quantum money with classical 
verification gives rise to natural and attractive theoretical questions. 

Another advantage of our construction is not directly related to the possibility of quantum 
verification: 

• Our scheme remains secure against an adversary who uses adaptive multi-round attacks; no 
such scheme was known before. 

2 Note that locally verifiable coins can be viewed as a partial answer to this requirement: when the bank isn't 
involved in the verification procedure it cannot "trace" the transactions. 

3 It has happened that a proposed scheme was broken soon after its publication. 
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Note that adaptive multi-round attacks are also conceivable in the case of money schemes with 
quantum verification alone: an adversary can, for example, "split" a coin into two "fragments", 
send one of them to the bank and collect the response, and later use the remaining fragment in a 
way that would depend on the bank's response to the first fragment. Indeed, Lutomirski [LutlO] 
has demonstrated a linear-time adaptive attack against one version of Wiesner's scheme, which 
was provably secure against non-adaptive adversaries. Before this work it was open whether any 
quantum money scheme can be resistant to adaptive multi-round attacks. 

We call our quantum money scheme Q. In order to verify a Q-coin a holder has to contact the 
bank via a classical communication channel and perform quantum measurements, as directed by 
the bank, then report the outcomes. In the end the bank either confirms that the coin is valid or 
rejects it. 

Our construction has the following specific properties: 

• The coins are exponentially hard to counterfeit (cf. Theorem 15.11 and Corollary 15.211 . 

• The classical communication channel used for verification can be unencrypted: e.g., both the 
bank and the coin holder can broadcast their messages, without compromising security of the 
scheme. 

• Our scheme remains secure against an adversary who uses adaptive "attempted verifications" 
in order to collect information about a coin. Exponentially many such attempts have to be 
made before one has non-negligible chances to counterfeit a coin. 

• The database of the bank is static, and therefore many de-centralized "verification branches" 
can exist that do not have to communicate with one another. 

• The number of verifications that a Q-coin can go through is limited - the number of qubits 
required to store a coin is polynomial in the number of validity tests via classical communi- 
cation that the coin can go through during its circulation period (after that it would have to 
be replaced by the bank). We show that this dependency is optimal (cf. Theorem 16. ip . 

1.3 Related work 

Using a different approach, Aaronson and Christiano in the upcoming |AC12| will construct a 
scheme that uses quantum communication with a bank for verification (like Wiesner's original 
scheme) and is resistant against adaptive multi-round attacks. 

Very recently some of the ideas proposed in this work have been further developed by Pastawski 
et al. [PYJ+11] and by Molina et al. |MVW12j . 

2 Who needs quantum money? 

The first quantum money scheme was proposed by Wiesner more than 30 years ago (several years 
before |Wie83j was published). Nevertheless, there seems to remain some confusion about the 
advantages that quantum money has over possible classical constructions. Below we reproduce a 
typical "classical money" proposal, then discuss the advantages of Wiesner's scheme, then further 
advantages of our construction. 

Note that here we are not comparing our scheme to the previously known ones (that was the 
subject of Section [L2|) . Instead, this part (informally) addresses the question posed by its title. 
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2.1 A classical proposal 



Let every coin issued by the bank contain a secret string s, known only to the bank and to the 
current coin holder. When a coin holder Alice wants to pass her coin to a new coin holder Bob, 
they run the following protocol: 

• Alice sends to the bank the string s and tells the bank that she wants to pass the coin to 
Bob. 

• The bank checks that s is a valid secret string (if not then a forgery attempt has been 
detected), then erases s from the list of valid strings and adds to the list a newly generated 
secret string s' . 

• The bank sends s' to Bob; henceforth, Bob holds the coin. 

2.2 Advantages of Wiesner's scheme 

• The bank's database can be static (for the classical scheme to be secure, it is crucial that a 
new secret string is issued each time a coin is passed along). 

• Interaction with the bank does not require 3-party authentication (for the classical scheme 
to be secure, the bank has to make sure that the only recipient of the newly generated secret 
string is the party named by Alice in the first round). 

2.3 Advantages of our scheme 

• All the benefits of Wiesner's construction listed above. 

• The communication channel can be classical and not encrypted. Moreover, all the messages 
(both ways) can be openly broadcast. 

• In the classical scheme, as well as in Wiesner's scheme, an intruder who pretends to be the 
bank can steal a valid coin from its fair holder who wants to verify it. Our scheme shields 
against that. 

3 Notation and preliminaries 

For a € N we denote [a] = f {1, . . . , a}. Denote by I a the identity matrix of rank a. For any finite 
A we denote by Ua the uniform distribution over the elements of A. 
We will use concentration bounds extensively in our proofs. 

Theorem 3.1. (Chernoff bound) Let X±, . . . , X n be mutually independent random variables taking 
values in [0, 1], such that E [Xj\ = \i for all i £ [n\. Then for any A > 0, 

< e 2 + A , 



and 

Pr 



Pr 



Xi > (1 + X)iin 



'ten 



Y^X^il- A)/m 



'ten 



< 
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We also need a generalization, originally proved by Panconesi and Srinivasan [PS97j . The 
following version of it is due to Impagliazzo and Kabanets |IK10j . 

Theorem 3.2. (Generalized Chernoff bound) Let X±, . . . , X n be Boolean random variables, such 
that for some 5 and every S C [n] it holds that Pr [AjggXj = 1] < 5^ s ^. Then 



Pr 



x i > (1 + A)5n 



< e 



-2n\ 2 8 2 



Corollary 3.3. Let X\, . . . ,X n be Boolean random variables, such that for all i 6 [n] and any 
event C that only depends on {Xj\j 7= i} it holds that Pr L2Q = 1 Cl < S. Then 



Pr 



^2 Xi - C 1 + A ) 5n 



< e 



-2n\ 2 8 2 



Proof. For every SC. [n], 

Pr [A ie[lSl] X Si = 1] = J] Pr = A X Sx 



X S ^=l] <5 |51 , 



where S 1 ,- is the i'th least element of S. 



We will also need the following combinatorial lemma (a rather standard one, e.g., see Lemma 2.2 
in Jukna |Juk01| ). 

Lemma 3.4. Let A±, . . . ,An be subsets of [n] of average size t. Suppose that \Ai n Aj\ < s for 
every i 7^ j. Then either N < 2n /t or s > * 2 / 2n ( or both)\j 

Proof. For x € [n], let d(x) = f \{i \ x G Ai}\. On the one hand, 



N 



^d(x) 2 > 



2+2 



x=l 



i=l 



x=l 



NH 



n 



On the other hand, 



N N 



N 



^2(d(x)) 2 = ^2^2\A i DA j \ = ^2\A i \ + '^ t \A i nA j \ < Nt + N{N -l)s. 

o¥=i 



x=l 



Therefore, 



and the result follows. 



i=i j=i 
Nt 2 



i=l 



n 



<t + Ns 



s > 



n N : 



4 The asymptotic guarantees of our Lemma [3. 41 are slightly better than those of Lemma 2.2 in [JukOlj - there the 
main statement is more general, but the result is weaker in the special case that we are interested in. 
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4 Our quantum money scheme Q 



One of the main technical ingredients of our construction is a constant-dimensional (n = 4) special 
case of a relational communication problem called Hidden Matching Problem (HMP), first consid- 
ered by Bar-Yossef, Jayram and Kerenidis [BYJK04] in the context of communication complexity. 

Definition 1. Let HMP 4 be as follows. For x E {0, l} 4 and m,a,b E {0,1}, we say that 

x 1 © X2 +m if a = 
x 3 _ m © x^ if a = 1 



(x,m,a,b) E HMP 4 ifb 



Intuitively, if we view x E {0, l} 4 as a binary coloring of 4 vertices then a tuple (x, m, a, b) 
satisfies the relation HMP 4 if and only if b indicates whether x assigns distinct colors to the pair 
of vertices determined by m and a. 

It has been shown in [BYJK04] that if Alice receives x and Bob receives m then Alice can send 
a short quantum message to Bob that would allow him to produce a valid answer (a, b); on the 
other hand, if Alice is only allowed to send classical bits then a much longer message is required. 
The authors were interested in the asymptotic behavior of quantum and classical communication 
cost of HMP, and they gave an elegant proof that the gap between the two is exponential. 

How can it help us? We want to build a scheme that would be safe against both classical and 
quantum attacks; moreover, we want to be able to carry out certain communication task (testing 
validity of a coin) using only classical communication. So, why are we interested in something 
showing that quantum communication is more powerful than classical? 

The answer is that the role of quantum communication from [BYJK04] in our case is played by 
a quantum coin: when the bank issues a coin, it sends a quantum message to its future holder. The 
core of our construction is the observation (apparently, new to this work) that in certain quantum 
one-way protocol for HMP, a single message from Alice cannot be used by Bob in order to produce 
valid answers w.r.t. several different values of m. In other words, the message cannot be "reused". 
This holds in spite of the fact that a message from Alice cannot depend on m, thus using it Bob 
can produce a valid answer w.r.t. any legitimate value of m. 

In our construction we will use a state \a{x)) of 2 qubits (corresponding to the quantum message 
that Alice would send to Bob in a one-way protocol for HMP 4 ) that allows its holder, who is given 
m but doesn't know x, to find an "answer" (a, b) that satisfies HMP 4 with certainty. On the other 
hand, using the same state in order to find (ao,&o) and {a\,b{), such that (x,m,a m ,b m ) E HMP 4 
for both m = and m = 1 would fail with probability at least In other words, our state of 2 
qubits will be useful but not reusable for producing an answer to HMP 4 . 

Let the bank choose x\, . . . ,Xk E {0, l} 4 at random, keep them in secret and produce quantum 
states \a{xi )),..., \ct(xk))- A newly issued Q-coin consists of a piece of paper glued to k quantum 
registers that hold \a(xi )},..., \a(xf c ))- The piece of paper contains a unique identification tag and 
k initially unmarked positions, where the i'th position has to be marked when the corresponding 
\a{xi)) is used in the verification protocol. 

More formally: 



Definition 2. (HMP 4 -states) Let x E {0, 1} . The corresponding HMP 4 -state is 

1 
2 



!«(*)> = £■ £(-i) 



Ki<4 



Interestingly, the HMP 4 -states (in their multidimensional version) were first considered by 
Kerenidis and de Wolf [KdW04] in order to prove a lower bound on the length of certain codes, 
and that was before the Hidden Matching Problem was defined. 
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Definition 3. (HMP^ -queries) An HMP^-query is an element m £ {0, 1}. A valid answer to the 
query w.r.t. x £ {0, l} 4 is a pair (a, b) £ {0, 1} x {0, 1}, such that (x, m, a, b) £ HMP^ . 

An HMP^-st&te can be used to answer an HMP^-query with certainty: If m = 0, let 

def|l) + |2) def |1> - |2> dcf|3) + |4) def|3)-|4) 

otherwise (m = 1), let 

def |1) + |3) def |1) — |3) dcf|2) + |4) def|2)-|4) 
Vl = 1=, ,V2 = -f=, ,V 3 = — ,Vi = - 



Measure \a(x)} in the basis {vi,V2,V3,V4}, and let (a, b) be (0,0) if the outcome is v\\ (0, 1) in the 
case of V2] (1, 0) in the case of (1, 1) in the case of v^. Then (x, m, a, b) € HMP^ always. 

Definition 4. (Q-coins) Let 3\t. A secret record consists of k entries x±, . . . Xi £ {0, l} 4 (i.e., 
the secret record contains Ak bits). 

A "fresh" Q-coin corresponding to the record (x\, . . . , x^j consists of 

• k quantum registers consisting of 2 qubits each, where the i'th register contains \ct(xi)); 

• a k-bit classical register P, that is initially set to k ; 

• a unique identification number. 

A bank produces fresh Q-coins; as a Q-coin goes through more and more verification protocols, 
its quantum registers lose their original content (and that shall be reflected in the corresponding 
bits of P, see below). The identification number of every coin issued by the bank must be unique. 

To verify a Q-coin through classical communication with the bank, its holder runs the following 
protocol Ver (t is a parameter in the construction of Q that will be polynomially related to k). 

Protocol : When a holder of a valid Q-coin follows the protocol, verification goes like this: 

1. The holder sends the identification number of the Q-coin to the bank. 

2. The bank chooses uniformly at random a set L$ n C [k] of size t, and sends it to the coin 
holder. 



3. The holder consults with P and chooses uniformly at random a set C L(, n consisting of 

2*/3 yet 
as used 



2 */3 yet unmarked positions. He sends to the bank and marks in P all the elements of Lf^ 



4. The bank chooses at random 2 */3 values rn-j G {0, 1}, one for each i £ L^, and sends them to 
the coin holder. 

5. The holder measures the quantum registers corresponding to the elements of in order to 
produce 2t /3 pairs (ai,bi), such that (xi,m,i,ai,bi) £ HMP^ for all i £ L^. He sends the list 
of (aj, bi)'s to the bank. 

6. The bank checks whether (xj, mj, aj, 6j) £ HMP^ for all i £ L^, in which case it confirms 
validity of the Q-coin. Otherwise, the coin is declared to be a counterfeit. 
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We will say that an instance of Vtr has been passed or won if the bank's final response was 
"valid". 

Observe that a fair coin holder fails to pass Vtr with exponentially small probability (corre- 
sponding to the situation when less than k /4 of the coin registers are marked as used, but among 
the t registers that were uniformly chosen by the bank more than */3 are marked as used). If this 
happens, a new run of Ver can be started. 

It follows from the earlier discussion that both the bank and a fair coin holder can perform 
their parts of l^er efficiently. Note also that the secret records kept by the bank do not change as a 
result of executing Vex - that is, the bank's database is static. 

Intuitively, adversarial ability to counterfeit a Q-coin shall imply ability to answer w.r.t. the 
same quantum register i both to the question uii = and to raj = 1. As we said before, that can 
be done with probability at most 3 /4; moreover, it turns out that in order to successfully counterfeit 
a coin the adversary must be able to answer both the HMP^ -queries w.r.t. a considerable fraction 
of the coin's registers, and that will imply exponentially small probability of adversarial success. 
We will formalize and prove this intuition in Section (5) 

We will show (cf. Theorem 15.11 and Corollary I5.2f) that only after an adversary has run e n (* ^ ) 
auxiliary instances of l^er, he might be able to counterfeit a Q-coin with success probability higher 
than e -^( t2 A). 

Note that every run of Vtr "costs" 2t jz yet unused quantum registers. As soon as k /i registers 
have been used, the Q-coin has to be returned to bank (the bank still would be able to verify its 
validity and issue a replacement). Accordingly, after |_ 3fe / 8 *J runs of 'Vcr a Q-coin has to be returned 
to the bank. 

To conclude : Choosing, for example, t £ G(/c 3 / 4 ) gives a construction where a coin that consists 
of 2k qubits can go through ^(A; 1 / 4 ) validity tests via classical communication with the bank, and 
where it takes e fcS1(1> time to forge a counterfeit with probability higher than e _fcn(1> . The bank's 
secret database contains 4k bits corresponding to every coin, and those records are static (in 
particular, many de-centralized "verification branches" can exist that do not have to communicate 
with one another). In Section [6] we will show that these parameters are very close to the best 
possible. 

5 Security of Q 

We are giving "extended security guarantees", as follows. Instead of only arguing that the first 
cheating attempt is not likely to succeed, we allow an adversary to use multiple attacking attempts 
- namely, even having been caught cheating in the past, he may continue his attempts. Recall 
that we allow adaptive attacks, thus something learnt form the earlier attempts might help the 
adversary in future attacks. 

Informally, our security guarantees will be expressed like this: An exponentially large number of 
partially completed instance^ of Vzr are required for an adversary to have non-negligible probability 
to make a counterfeit coin. 

A high-level view of our security analysis is as follows. First we make preliminary observations 
regarding possible attacks on the Q-scheme (Section I5.ip . and demonstrate useful properties of 
HMP^-st&tes (Section 15. 2\i . Then we claim that counterfeiting a Q-coin has its "cost", in terms 
of the number of preliminary runs of Vtr that are required in order to collect enough auxiliary 

5 By a partially completed protocol we mean an instance of Ver, where the first response from the bank has been 
received and analyzed by the adversary. 
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information about the coin (Section l5.3p . Finally, we reduce unrestricted attacks to more structured 
ones and show their limitations (Sections 15.41 and 15.51 respectively). We conclude in Section 15.61 
that exponentially many preliminary runs of Ver are required in order to counterfeit a Q-coin. 

5.1 Possible attacks and security guarantees 

Our goal will be to show that a Q-coin is hard to counterfeit. First, we want to argue that in order 
to establish security of our Q-scheme it is enough to consider the situation when starting with a 
fresh authentic Q-coin, an adversary runs many instances of Vex (probably, in a non-consecutive 
manner) for this coirjfl, and his goal is to produce two (possibly, entangled) quantum objects that 
have non- negligible probability to be accepted by the bank as valid coins. 

Probably, the most harmful attack on Q would be the one where an adversary starts with M 
fresh Q-coins, and his goal is to produce M + 1 quantum objects that are all likely to be accepted 
as valid Q-coinsIll Let us look at the "two out of one" security guarantee that we give for the 
Q-scheme, and see how it implies robustness against "multi-coin" attacks. 

Let us call the first response a message that the bank sends in step 2 of Vct (that is, a list of t 
positions). In Section T5.6I we establish the following theorem. 

Theorem 5.1. Let a fresh Q-coin be given to a computationally unlimited adversary who runs 
auxiliary instances of Vtr for this coin and produces two (possibly, entangled) "counterfeits" p\ and 
P2 ■ Then 



exists, such that if the adversary has received and analyzed the first bank's responses in at most U 
instances of 'Ve.r, then the probability that both p\ and p2 pass Ver is in 



Corollary 5.2. Let M fresh Q-coins be given to a computationally unlimited adversary who ana- 
lyzes the first bank's responses in at most U auxiliary instances of Vir, for U as in Theorem \5.1{ 
If the adversary outputs M + 1 quantum objects then the probability that all of them pass Vir is in 



Proof. If the identification numbers of the M + 1 produced quantum objects are not a subset of the 
identification numbers of M initially given objects then at least one counterfeit has been produced 
"from scratch" , and it is easy to see that the probability of success in this case is negligible. 

Otherwise there is at least one identification number that appears more than once among the 
M + 1 produces quantum objects with probability at least 1/m. Starting with a single coin, one 
can emulate the cheating strategy for M coins by locally creating M — 1 Q-coins and running the 
protocol, locally computing bank's responses according to Vcr w.r.t. any of the M — 1 auxiliary 
coins. If in the end of emulation at least two object are marked with the same identification number 
as the given coin then those two objects are returned, otherwise arbitrary output is produced. 

If the M-coin counterfeit strategy produces M + 1 quantum objects that successfully pass 
verification with probability e, then the strategy above succeeds in counterfeiting a single coin with 
probability at least £ /m, and the corollary follows from Theorem 15.11 ■ 

6 Note that every run of Ver can be associated with certain Q-coin via its identification number, as reported by 
the coin holder in the first round of a protocol. 

7 Several modifications of this cheating setup can be considered, but it seems that all of them can be reduced to 
the "M + 1 out of M" regime. 
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5.2 Quantum retrieval games 

To analyze some useful properties of HMP^-states we define the notions of quantum retrieval games, 
physical projections, and selective projections. 

Definition 5. (quantum retrieval games) Let k, m, n E N, a C [m] x [n], and Va € [n] let p a G C fcxfc 
be positive semidehnite such that tr(^ a p a ) = 1. Then Q = {{p a )a&[n\ ; oj is a quantum retrieval 
game. 

The notion of quantum retrieval games is aimed to model the situation when a mixed quan- 
tum state ^2 p a is measured in order to extract some information about a. The relation a 
describes what knowledge is wanted. We will consider situations when an m-outcome quan- 
tum measurement is applied to Yl p a , and we say that the game Q has been won if the pair 
{{outcome of the measurement) , a) is in a. Formally: 

Definition 6. (selective and physical projections) Let V = {Pjll^i be a set of projections in C kxk , 
s.t. Pi ^ I. Call V a selective projection. A selective projection is called physical projections if 
it satisfies ^ Pj = I. 

Definition 7. (selective and physical values of a game) The vaiue of Q w.r.t. V is defined as 

D(i,q) go - tr(-PPa) 
E^tr(PiPa) ' 

and ifV is a selective projection then the value is undefined unless ^ a tr(Pjp a ) > 0. The selective 
value of Q is the supremum of the game's value w.r.t. selective projections, and the physical value 
of Q is the supremum of the game's value w.r.t. physical projections. 

Note that for physical projections it holds that £^ tr{Pip a ) = 1 (and the above definition 
simplifies to a ^ G(j tr(Pjp a ) in that case). Physical projections are the most general "mechanism" 
offered by quantum mechanics to extract classical information from a quantum state. 

Selective projections are, in general, more powerful than physical projections (they correspond to 
measurements with "postselection" , and those are not allowed by the laws of quantum mechanics). 
We will consider selective projections in some of our impossibility statements, that will allow simpler 
proofs of direct product statements that we will need. Like in the case of physical projections, we 
will view the elements of V as outcomes. Clearly, the selective value of a game is always at least 
as large as its physical value. 

A physical projection V corresponds to some POVM measurement, and the elements of V are 
the possible outcomes. When it is applied to some (normalized) p £ C kxk , the i'th outcome occurs 
with probability tr(Pj/?). If i'th outcome occurred then the state of the quantum register that 

-•fcxfc U /\/f. ^ A/ft 



originally contained p £ C becomes MipM} , where M; = . We view selective projections 



as a generalization of POVMs where the requirement ^ Pi = I is replaced by £^ Pj ^ I and the 
distribution of outcomes is 

Pr[,'th outcome] = J^^y 

The class of selective projections is closed w.r.t. compositions and applying admissible quantum 
transformations H 

8 The class of admissible quantum transformations generalizes the class of unitary transformations to include what 
can be achieved using auxiliary space. 
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5.2.1 An i/MP^ -state cannot be used twice 

We have seen that each HMP^-state can be used to answer at least one HMP^ -query. To prove 
that our Q is secure we will have to argue that an HMP^ -state cannot be used to answer two 
complementary HMP^ -queries with confidence. 

Let Qhmp 4 be the quantum retrieval game corresponding to answering both the possible HMP^- 
queries using one HMP^ -state, namely 

Qhmp 4 = f ((V 16 • \ a ( x ))i a ( x )\) x e{o,i} 4 ,°hm) , 

where 

ohm = {(x, (00,60,01,61)) I (x,0,a ,b ), (x, l,oi,6i) G HMP 4 } . 
Note that this definition corresponds to the uniform choice of x G {0, l} 4 . 

Lemma 5.3. The selective value of Ghmp 4 is at most 3 /i^ 

Proof. Note that Yl x 1 /w-\a(x))(a(x)\ = Consider a selective projection that produces correct 

answer to Qhmp 4 with probability 5. There must exist an answer (a , 6 , a^, 6^) that is produced 
with non-zero probability, and if it is produced then it is correct with probability at least 5 when 
x ~ j.4 . Fix one such answer. 

Denote by E the event that (x, (a' , b' , a^, 6' x )) G ohm- By the definition of selective value 
there exists a projection P such that tr(Pp) > and if the outcome P occurs then E holds with 
probability at least 5. We will argue that E cannot be "witnessed" very well by any outcome of 
measuring p. 

Observe that E always corresponds to choosing three different coordinates 31,32,33 £ [4] and 
fixing the values of and Xj 2 © Xj 3 . By symmetry of \a(x)), we can, w.l.g., consider the 

case of witnessing x\ = X2 = X3 via measuring of p. 

Let P = Ylie[k] l e *X e «l f° r some orthonormal |ei) , . . . , |e&}. We have: 

^ tr(PZ Xl=X2=X3 H x )M x )\) <, f E Xl=X2=X3 \{eMx))\ 2 \ 
< -, 1 — - — - r- < max < — -, — r- > 

tv(PE xmi} *Wx)Mx)\) ' m (^{\^i\E xe{0 , 1} 4 Hx)M x )\) J 

Xi= X 2=X3 

where |eo) G {|ei) , . . . , (e^)} attains the optimum of the second inequality (under the "0/0 = 0" 
convention). Let = f (eo|j) for j G [4], then 

* < I ((«?> + 4 2 > + 4" + 4 4 ') 2 + (4 11 + 4 2) + 4 S) - 4 4) ) 2 ) 

because |eo) is a unit vector. ■ 

For k G N, let Ghmp 4 ^ e t ne naturally defined "product game" that consists of k independent 
instances of Ghmp 4 ■ 

9 From the proof it can be seen that the bound is, actually, tight. 
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Corollary 5.4. The selective value of Q%mp 4 ^ s a ^ mos t ( 3 / 4 ) fc - 

Proof. Let G^mp denote the i'th. instances of Ghmp 4 "inside" G^mp 4 . Then 

Pr Shmp 4 is won ] = II Pr Ghmp 4 is won Ghmp 4 > • • • > Ghmp 4 are won » (!) 
te[fe] 

where the probabilities are defined w.r.t. the selective measurement being used to play G^mp ■ 

Note that each conditional probability that appears on the right-hand side of ([T]) is at most 
3 /4: Otherwise there would exist a selective measurement that used i — 1 auxiliary instances 
&hmp ' • • • ' ^i/MP ' anc ^ conditioned upon winning these i — 1 instances won £?#]^p with prob- 
ability higher than 3 /4, contradicting Lemma 15, 31 The result follows. ■ 

5.3 The cost of counterfeiting a Q-coin 

Unless stated otherwise, let c be the Q-coin that an adversary is trying to counterfeit, and let x be 
the bank's secret string that describes the structure of c. We want to argue that in order to achieve 
his goal, the adversary has to collect certain minimal amount of additional information about the 
coin, and that task itself is difficult to fulfill. 

Let us assume for the rest of our security analysis that the attack under consideration, denoted 
by C, runs at most U instances of t^er, all of them initiated by sending the identification number of 
c. Informally, C is successful if in the end it outputs quantum states p\ and P2 (possibly entangled), 
such that both of them, if given to a trustworthy user, pass 'Ver with some non-negligible probability. 
This probability is viewed w.r.t. the randomness present in the construction of c, in C itself, and 
in the final run of Ver. 

It is crucial that we consider the probability of both the fakes having been accepted. If instead 
we were asking what is the smaller of the probabilities that pj passes Vvr for j £ {0, 1}, we would 
end up with a bound of at least 1/2: For example, an adversary can toss j ~ ^{0,1} an d make pj 
to be c, and pi-j to be anything. 

Lemma 5.5. Consider an attack that completes at most U instances of Ve-r in order to counterfeit 
c. Conditional upon having passed at most u < U instances, the success probability of counterfeiting 
is at most 

g-Q(t) _j_ e ulnU-n(k) 

Proof. For j £ {0, 1}, let Ij be a random variable taking the value of the list of HMP^ -registers 
that are marked as unused on pj. By the definition of Q-scheme it should hold that \IA > 3k/ A 
(otherwise the forgery would be obvious right away). 

Consider the run of Ve-r for the counterfeit contained in pj. For any choice of in step [3] and 
of "questions" {m^ \ i £ L^} in step HI the quantum measurement applied by the coin holder in 
step [5] can be decomposed into 2 */3 measurements that access individual registers of pj in order to 
find answers w.r.t. the corresponding mj. Let us denote by P l .' m the measurement applied to pj in 
order to produce (aj, b{) when m; = m. 

In step [5] of Ver the holder of pj performs the measurements |pj' mi { £ in order to 

determine the 2t /3 pairs (oj, bi) that he will report to the bank. Now we make two observations that 
will be crucial for the proof: 

• The only pairs of the measurements that do not commute are 

{ (p;' m , P}* 1 -™) j j £ {0, 1} , i £ [*], m £ {0, 1}} . 
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• Since the coin holder is now fair to the protocol, the 2t /3-set Ly- chosen in step [3] of Ver is a 
uniformly random subset of Ij. The questions (mj)j e £ w are i.i.d. by ^{o,i}- 

Denote by Vj the instance of Vtr that tests pj , and accordingly define and . Let us view 
choosing ( m i) ie ^ as nrs t taking m J ~ ^k, followed by choosing a random and outputting 
the projection of m J to the coordinates in Ll r Clearly, the resulting distribution of I? M and 



(m^) iei j are the same. Therefore, we can replace the protocols V\ and V2 by a new quantum 
procedure, somewhat more friendly to analyze. 

Let V be the following procedure that either accepts or rejects quantum states pi and p 2 - 

1. For j G {0, 1}, choose m J ~ x yk. 

2. For j G {0, 1} and i G 7^, apply * to pj and denote the outcome by (a?, 0?). 

3. For j G {0, 1}, choose L ^ as a uniformly random subset of Ij of size 2 */3. 

4. Accept if for all j G {0, 1} and % G L^- it holds that (xj, irr? , o|, 6|) G HMP^ ; reject otherwise. 

Observe that all ' * 's that can appear in a single run of V commute, and therefore the 
probability that V accepts exactly equals the probability that both V\ accepts p\ and V2 accepts 

Denote / = f h n h, I' = {i € / | m\ ± m 2 }, Ij = |i G /' (x;,mj,af,^) ™P 4 } and 

~ def ~ ~ ~ ~ 

/ = Ji U /2- We will see that / is unlikely to be small, and if it is big then V is unlikely to accept. 

Let us first consider the case when the adversary has not run any preliminary protocol and 
created p\ and p 2 from c alone, without any auxiliary knowledge about x. 

By definition, |7j > k/2. By uniformity of m 1 and m 2 it holds that E [|/'|] = \I\ /2, and 
Chernoff bound (Theorem 13. ip implies 



Pr 



\I'\ < 



k 



_M\_ k_ 

< e 100 < e 200 . 



(2) 



By Lemma 15.31 f° r every i$ G I' it holds that Pr Iq G" I < 3/4; moreover, the same remains true 

even if we condition upon the content of I \ {20} (otherwise Lemma 15.31 would be contradicted 
by a selective measurement that uses auxiliary instances of Qhmp 4 i n order to win with higher 
probability, similarly to the proof of Corollary I5.4p . Therefore Corollary 13.31 can be used here, 
resulting in 

l/'ll 

(3) 



Pr 

Clearly, 

which leads, together with ([2|) and ([3]), to 

Pr 



< 



< e 200 , 









k ' 












V'\ 




Pr 




I 




< Pr 


[|/<| < *" 


+ Pr 




I 
















5 _ 















k 






I 










<25 





k_ k 

< e 200 + e 1000 , 



(4) 



where "*" is the condition that p\ and p 2 are created from c not using any auxiliary input. 
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Now assume that in order to produce p\ and p2 the adversary has completed at most U instances 
of Ver, and condition upon at most u of them having been passed successfully. The idea here is to 
emulate the same attack, letting the adversary guess the bank's responses locally. In this form the 
attack uses no auxiliary data from the bank, which makes * from (jU hold. 

According to l^er, the only bank's message that depends on x is the final "accept" /"reject" 
notice. Therefore, if the adversary (who doesn't know x) does his best to predict all bank's re- 
sponses, such predictions will be statistically indistinguishable from bank's responses, as long as all 
"accept" /"reject" verdicts are guessed correctly. The number of different ways to choose at most 
u "accepts" out of U verdicts is at most U u + 1, and therefore they are guessed correctly with 
probability at least jju + i • Thus from Q, 



Pr 



< k/5 



U u + 1 



< e 200 -)- e iooo , 



(5) 



Now assume that I > k/5. W.l.g., let I\ > k/W. Then the probability that V accepts is 

upper-bounded by the probability that none of the elements of LjL comes from I\, and that is at 
most (9/10) 2i/3 < (14/15)*. Together with ©, this implies that 



Pr 



V accepts 



< 



+ 



k k 

e 200 -\- e iooo 



(U u + 1), 



as required. 



5.4 Phased attacks 

If we could assume that the attack under consideration is phased, in a sense that during cheating 
phase i the i'th steps of all U auxiliary instances of l^er are executed, that would simplify our 
analysis considerably. In this part we will show that any attack can be transformed, with a modest 
loss in the success probability, to the nearly-phased form. 

Definition 8. (phased and nearly-phased attacks) Let an attack be using U auxiliary instances of 

We say that the scenario is phased if it can be viewed as consisting of El consecutive phases, 
such that at phase i the i 'th steps of all U auxiliary instances of Vtr are executed. 

We call the scenario nearly-phased if it is phased with a relaxation that instead of phases [3 and 
[Hit has a phase called Q-Sf', when both the 3'rd and the^th steps of the auxiliary instances of 
Vtr are executed. 

Intuitively, the difference between the two restrictions is that in a nearly-phased scenario an 
adversary is allowed, say, to choose the 2 */3 "playing" registers (out of the t suggested by the bank) 
in the auxiliary instance 1 of Vcr after he has received the 2 */3 questions m; relevant to the auxiliary 
instance 2 of V&r. In the case of phased attacks such behavior is not allowed: the questions mi 
relevant to all the auxiliary instances of Vtr are available to the adversary only after the choices of 
"playing" registers have been made w.r.t. all the instances. 

The convenience of these definitions comes from the fact that, on the one hand, if an attack is 
phased then it cannot use in an earlier stage of one auxiliary instances of Ve-r the output from a later 
stage of another instances, while on the other hand, only the last bank's response in 1/er provides 
any information about the string x. That is, assuming that an attack is (nearly-) phased limits 
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considerably the possibilities for the adversary to use dependencies between different instances of 

Our claim is the following. 

Lemma 5.6. If an attack exists that initiates at most U and wins at least u < U auxiliary instances 
of 1/er with probability at least 5, then there is a nearly -phased scenario that initiates and completes 
exactly U and wins exactly u instances of Ver with probability larger than 

5 - U/ 2 2t /3 

In the above statement by "initiating" an instance of 1?er we mean sending a coin identification 
number to the bank and getting back a list of t registers (step [2] of 1/er) . 

Proof. The proof idea here is somewhat similar to that of Lemma 15.51 - namely, if the output from 
a later stage of one auxiliary instance of Vtr is used by the adversary in order to decide how to act 
in an earlier stage of another instance, we would let a "new adversary" guess the future response of 
the first instance before actually receiving it from the bank, and act in the second instance under 
the assumption that the guessing has been accurate. 

Let C be the attack, as guaranteed by the lemma condition. 

First of all, let us turn it into C that always completes U instances of Ve.r and is likely to win 
exactly u of them. This first modification is straightforward - C would behave as C, except for the 
following modifications: 

• If, according to C, no more auxiliary instances are needed but less than U have been run then 
C runs "dummy" instances of Ver (generating uniformly at random all messages that are sent 
to the bank), in order to make their total number equal U. 

• If, according to C, some instances of Ver are aborted, C completes them in a "dummy" way. 

• If at some point it occurs that C' has already won u instances of Vzr, then it completes all 
remaining instances in a "dummy" way. 

Note that the way C produces p\ and p2 is irrelevant for us now, as here we are only interested in 
the number of "accepts" among the preliminary runs of l^er. 

Clearly, the probability that C wins at least u instances is the same as in the case of C; on the 
other hand, C wins more than u instances only if at least one "dummy" instance has been won. 
A single "dummy" instance is won with probability exactly 2 _2t//3 , and at least one is won with 
probability less than U ■ 2 -2 '/ 3 . Therefore, C wins exactly u instances of T^er with probability larger 
than 

6 _jj. 2 - 2t /\ (6) 

Now let us turn C into nearly-phased. The new attack C" consists of 5 phases, as follows. 

[TJ Initiate U instances of sending the identification number of c to the bank. Index the 
instances by 1, . . . , U. 

EJ Get back U £-tuples, denoting by the response from the i'th instance of Ver, i £ [U]. 

[3] -HI Let W G {0, 1}^ be a uniformly chosen binary vector of Hamming weight u - this is going to 
be the adversary's guess regarding the winning instances of Ver. Start emulating C skipping 
the first two steps of each instance of Ibr, as those have been processed already (use T- 1 ^ 's as 
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bank's responses in step [2] of Ver). Skip all interaction with the bank beyond stepdl instead, 
whenever C acts depending on the bank's final response in the i'th instance of 'Uer, emulate 
C assuming that the response was W{ (where "0" stands for "reject", and "1" stands for 
"accept"). Run the emulation until the bank's responses in step 0] have been received in all U 

(2) 

instances of 'Per. For i E [U], denote by the 2 */3-tuple chosen in step [3] of the i'th instance 
of Ver, and by Mi E {0, l} 2t//3 the values sent by the bank in step H] of the i'th instance. 

[5j Start a new emulation of C, this time skipping steps Q] - [J] of each instance of Ver and 
respectively using the values and Mj as bank's responses. Do not interact with the bank 
beyond step [5j instead, whenever C acts depending on the bank's final response in the i'th 
instance of Ver, emulate C assuming that the response was W%. 

[6j Receive the final responses from the bank, denote them by V E {0, 1} U . 

It is clear from the construction that C" is nearly-phased. 

Let us analyze the probability that C" wins exactly u instances of Ver. It is lower bounded by 
the probability that V = W, and that equals the probability that C wins u instances of 'Per and 
the right W has been guessed in the beginning of phase '[3]- 0]' of C" . The string W E {0, 1} U is 
uniformly random of Hamming weight u, thus it is correct with probability at least U~ u . Therefore, 
([6]) implies that C" wins exactly u instances of Ver with probability larger than (6 — U • 2 -2 '/ 3 ) • U~ u , 
as required. ■ 

5.5 Phased cheating is slow 

In this section we will prove that nearly-phased attacks require many auxiliary instances of l^er in 
order to win enough of them for Lemma 15.51 to allow non-negligible counterfeiting success proba- 
bility. 

Lemma 5.7. A nearly-phased attack that initiates and completes U auxiliary instances of Vtr wins 
at least 3k /t of them with probability at most 

e 2\nU-Q.(t 2 /k) 

As before, by "initiating" an instance of Vtr we mean sending a coin identification number to 
the bank and getting back a list of t registers (step [2] of 'Per) . 

Proof. Let C be the nearly-phased attack under consideration. For i E [U], let random variables 
and Mi describe the transcript of the i'th instance of 'Uer, as follows: 

• takes the value of the t-tuple chosen by the bank in step [2j 

• takes the value of the 2t/3 -tuple chosen by the adversary in step 02 

• Mi E {0, l} 2 */ 3 contains the 2t/3 "questions" chosen by the bank in stepdl 

For j E T^ l \ let T- \j] be the position of j in T- , and similarly define T i [j]- For j E T± , let 

(2) 

Mi[j] be the [j']'th bit of the value received by Mj - that is, Mi[j] denotes the HMP^ -query 
asked in the i'th instance of Ver w.r.t. the register j. 

For i,j E [U], i 7^ j, let = f if } n Tj 2) (viewed as a set) and 

se5 S'}- ( 7 ) 



S% d ^ {Mi[s} ^ MM 
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(2) 

That is, j contains the registers of c that are part of the bank's challenge questions both in the 

z'th and in the j'th auxiliary instances of Ver, and ■ contains the registers where good answers 
to the both possible HMP^ -queries have to be found in order to pass both the i'th and the j'th 
instances of Ver. Note that the attack C produces answers to all the relevant HMP^ -queries not 
having any auxiliary information about x (C is phased, and the only bank's responses that contain 
information about x are the final ones, which were not available to C at the earlier phase). 

Denote by Wj the event that the i'th instance of Vex is won, and by Wjj the event that both 
the i'th and the j'th instances are won. For every i ^ j, Corollary 15.41 implies that 



Pr 



W. 



'•j 



n(2) 
1 > ' 



,M\ 



< m 



Is' 21 



Let r G N, and denote by £ the event that Wij does not hold whenever 
will fix r to make Wij very likely to occur). Then from (jSJ), 



5(2) 



Pr 



£ 



>1-U 2 - (3/ 4 ) r 



(8) 

> r (later we 
(9) 



Similarly, let r G N (to be fixed later), and denote by £ the event that Wij does not hold 



whenever 



?(2) 



i.j 



S 



(2) 



i.J 



> r whenever 



> r. Let £' be the event that 

Pr[£] > Pr [£'] - U 2 ■ (3/ 4 ) F . 
When £ holds, any two different elements of the family 

Wi holds} 



? (2) 
id 



> r, then from ([9]), 



(10) 



-p def |y(2) 



share less than r elements. We choose 



clef 



~9k 



then Lemma 13.41 implies that \J-\ < 3fc /t, i.e., 

£ holds ==^ Less than 3fc /t instances of Vtr are won. 
It remains to show that £ is likely to hold. Fix 



(11) 



-def 



t 2 



10k 



and let us see that £' is very likely to occur. 

Before we deal with the nearly-phased case, suppose that C is phased. In this case there is 



no dependence between the variables ( 



and the variables (Mi)f =1 , and therefore sf^ is a 

i=l " 
(2) (2) ~{2) 

randomly chosen subset of S^J, where each s G S^- independently becomes an element of S^- with 



S 



(2) 



i.J 



probability 1 /2. By Chernoff bound (Theorem 13. ip . if 
therefore 

Pr [£'] >l-U 2 - e~ n ^ 



> r then Pr 



S 



(2) 

id 



< r 



< e~ n ( r \ and 
(12) 



When C is nearly-phased, the variables (t^\ are not necessarily independent from (Mi)f =1 
(the adversary is allowed to choose the 2 */3 "playing" registers in step [3] of the i'th instance of T^er, 
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depending on Mj received from the bank in step [5] of the j'th instance of Ver, j 7^ i). However, we 
claim that for every j 7^ i the values | Mj [s] © Mj [s] s £ n Tj 2 ^ | are unbiased and mutually 
independent - and this is all we need for (|12p to hold (cf. ©). Indeed, from the definition of Vzr it 

is clear that at least one of Mj and Mj is chosen by the bank uniformly at random after the values 
(2) (2) 

of both Tl and T- have been set by the choice of the adversary, and therefore Mj[s] © Mj[s] is 
unbiased. 

Prom (dUD and (H2D, 

Pr[S] > i_ e 2inC/-^ 2 A). 



Together with (jlip . this implies the result. ■ 
5.6 Q is safe 

We are ready to prove the main theorem. 

Theorem I5.il Let a fresh Q-coin be given to a computationally unlimited adversary who runs auxil- 
iary instances of l/ir for this coin and produces two (possibly, entangled) "counterfeits" pi and p%. 
Then 

U e e^( t3 / fc2 ) 

exists, such that if the adversary has received and analyzed the first bank's responses in at most U 
instances of Vzr, then the probability that both p\ and P2 pass Ver is in 



e 



-Q(t 2 /fe) 



Proof. From Lemmas 15.61 and 15.71 it follows that an attack C that receives the first responses in at 
most U auxiliary instances of Vtr can win at least 3k /t of them with probability at most 

e O(k/t)\nU-n(t 2 /k) 

Then Lemma 15.51 implies that C succeeds in counterfeiting the coin c with probability at most 

e O(k/t)\nU-n(t 2 /k) 

and the result follows. ■ 



6 Optimality of Q 

In this part we consider a generic quantum money scheme with classical verification, where the 
qubit-size of a coin is K and a secret bank record describing a coin contains R bits. 
Let us define the counterfeiting complexity of a quantum money scheme as 

minlmaxiyE, (time required to counterfeit a coin with success probability at least e)}}, 

e 

this definition is a lower bound on what we intuitively mean by "time required to forge a counter- 
feit" Note that Theorem 15.11 and Corollary 15.21 imply that the counterfeiting complexity of Q is 
exponential both in K and in R. 

10 Instead, one might consider the time required to counterfeit a coin with constant success probability. The (asymp- 
totic) time complexity of an attack that succeeds with constant probability is an upper bound on the counterfeiting 
complexity, as defined above. Note that our scheme from the previous section has high counterfeiting complexity, 
therefore it is secure in the stronger sense. On the other hand, the upcoming (formal) optimality statements will 
be made w.r.t. attacks that achieve constant success probability, which will make those statements also as strong as 
possible. Intuition-wise, we find the definition with "flexible e" more appealing, that is why we use it in the informal 
discussion. 
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First of all, 2 adversarial verification attempts are enough to exhaustively check all possible 
bank's records, and therefore 0(2^) is an upper bound on the counterfeiting complexity of any 
quantum scheme. So, in the case of Q the length of a bank record as a function of counterfeiting 
complexity is polynomially-close to optimal. 

Can the counterfeiting complexity be super-exponential in K? We could not find a simple 
argument against this possibility. The counterfeiting complexity of Q is exponential in K (which 
can probably be viewed as "reasonably good"), and we leave the question above as an open problem. 

There is one parameter in the construction of Q that one might like to improve - namely, the 
number of verification rounds that a new quantum coin can go through before it has to be returned 
to the bank. In this section we show that no scheme can allow this number to be larger than linear 
in K, and therefore our construction is polynomially-close to the optimal in this respect also. 

Theorem 6.1. Let T be the number of times that a new coin can be verified via classical commu- 
nication with the bank before it has to be replaced. Suppose that if a fair user verifies a fresh coin 
T times in a sequence then all T verifications are passed with probability at least 8 /9. Then either T 
auxiliary instances of the verification protocol are sufficient for an adversary to counterfeit a coin 
with probability at least 2 /3, or a coin contains £l(T) qubits (or both). 

To prove the theorem we will need the following technical statement (which might be of inde- 
pendent interest). 

Lemma 6.2. Let A and B be discrete random variables, such that there exists a condition that can 
be satisfied with probability at most a by the value of any random variable independent from A. If 
the value of B satisfies the condition with probability at least f3 > a, then 

I {A : B) > 2(/3-q) 2 . 

First we prove the theorem, then the lemma. 

Proof sketch of Theorem \6.1\ Assume that more than T auxiliary instances of the verification pro- 
cedure are required for an adversary to counterfeit a coin with probability at least 2 /3. 

To argue that a coin consists of £l(T) qubits, let us show that its "quantum part" has mutual 
information fi(T) with bank's secret record. To make sure that we are not counting information 
carried by the classical part of a coin, let us assume w.l.g. that the first message of the verification 
protocols is sent by the coin holder to the bank and contains all the classical information that the 
coin contained when it was fresh. 

Let L\, . . . ,Lt be random variables, respectively taking values of the transcripts of T sequen- 
tially executed protocols for coin verification via classical communication (assuming that the coin 
holder fairly follows the protocol, and that the coin was fresh when the first verification started). 
For convenience (and w.l.g.), assume that a transcript provides complete information about the 
action taken by a fair coin holder w.r.t. the coin being verified. Let p be the mixed state of a 
fresh coin whose secret record is unknown, and for every j € [T] and £±, . . . , lj, let pe lt ...,i- be the 
state of a fresh coin that went through j verification protocols whose transcripts were, respectively, 
t\ , . . . , £j . 

Let (£i)JLi be the values taken by (Li)f =1 . Denote by 1Z a random variable describing the bank's 
secret record corresponding to the coin under consideration. Let S(-,-) denote quantum mutual 
information, we claim that 

Vz e [T] : E [S{pe li ... i i i _ 1 : K) - S(p £u ... A : K)\ > (13) 
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where the expectation is taken w.r.t. the choice of (Li)f =1 . From (|13p it follows that S(p : 1Z) S 
£1(T), and Holevo's bound implies that p consists of £l(T) qubits, as required. 

To prove (|13p we will also use Holevo's bound. For simplicity let us assume that each run of 
the verification protocol requires exactly one quantum measurement to be performed by the coin 
holder (the case of many measurements is treated similarly). 

Fix i G [T]. Observe that if during the i'th run of the verification protocol the coin holder would 
not perform any quantum measurement, instead making the "best guess" responses based on the 
previous transcripts £\, . . . ,£i-i, then the probability to pass the verification would be less than 7 /s 
— otherwise an adversary could, based on the transcripts £±, . . . ,£i—i, prepare two counterfeits that 
would both pass the verification with probability at least ( 7 / 8 ) 2 > 2 /3, contradicting the assumptions 
of the theorem. On the other hand, by making the quantum measurement, as prescribed by the 
verification protocol, a fair coin holder is able to pass the verification with probability at least 8 /9, 
also guaranteed by the theorem assumptions. 

Conditional on £i, . . . , being the values taken by L±, . . . , Lj-i, the following holds. The ac- 
ceptance condition of the i'th verification can be satisfied with probability at most 7 /s by a random 
variable that doesn't depend on 1Z; at the same time the outcome of the quantum measurement per- 
formed by the coin holder satisfies the condition with probability at least 8 /9. Therefore, Lemma [6.2l 
implies that the expected conditional mutual information between the measurement outcome and 
1Z is at least V2592. Holevo's bound implies (fT3j) . and the result follows. ^Theorem,nn\ 



Proof of Lemma 1 6. S\ . W.l.g., assume that the condition under consideration is a function of the 
value taken by B. Let X and Y be the supports of A and B, respectively. For every b € Y, let 
Xb C X be the set of values of A that satisfy the condition when B = b. Let p be the distribution of 
A, and let ji^ be the distribution of A conditional upon B 
The requirements of the lemma assure that 



b. Let a;, = f /J,(Xb) 



and fa = f n b (X h 



E [otb] < a and 



E [P b ] > P. 

B=b 



(14) 



By definition, 



I{A:B)= E [d K L(fib\\n)]= E 

B=b B=b 



J2^b{x) ■ log 



and this is the value we want to bound from below. We have 

' Hh{x 



^2 Vb{x) ■ log 



x£X b 



p{x) 



—' log \l^IK'Jb 



Xh 



ab ■ [ dxL ( — 

\Oib 



/M.i I a b 

Aj +loe U 



(15) 



> a b ■ log 



Pb ' 



where the inequality follows from non- negativity of dxi ("HO and the fact that, restricted to Xb, 
both Vb/a b and m/^ 6 are probability distributions. Similarly, 



Y^j Vb(x) ■ log 



x <£X b 



> (1 - ab) ■ lo 



H(x) 



I -Pi 



leading to 



( j^j + (1 - a h ) ■ log (jzq^) = dKL (^11%) > 2(a b - Pbf, 
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where B p denotes Bernoulli distribution with probability p for outcome "1", and the last inequality 
follows from Pinsker's inequality. Plugging this into (|15p . we obtain the desired 

I (A : B) > 2 E [(a b - /3 6 ) 2 ] > 2(/3 - a) 2 , 

B=b 

where the last inequality follows from (JT3|) . ■ Lemma El 

7 Conclusions 

We constructed a quantum money scheme Q that allows verifying a coin via classical communication 
with a bank. Thus we are proving existence of secure quantum money schemes that do not require 
quantum communication for coin verification. 
Our scheme has the following properties. 

• The coins are exponentially hard to counterfeit, even if an adversary is adaptively using 
repeated verification attempts in order to collect information about a coin. 

• The classical communication channel used for verification can be unsecured. 

• The database of the bank is static. 

• The dependence between the number of verifications that a Q-coin can go through and the 
number of qubits that it contains is optimal, up to a polynomial. 

There are (at least) two questions that remain open: 

• Is it possible to build anonymous quantum money schemes with classical verification, by allow- 
ing multiple identical instances of quantum coins, as suggested by Mosca and Stebila |MS10j ? 

• Is it possible to have the counterfeiting complexity of quantum money super-exponential in 
the number of qubits that a coin contains (cf. Section [6|)? 
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